The security log is now full
The security log is now full. When the security log reaches maximum capacity and is configured to 'Do not overwrite events', no new security events can be recorded.
Event ID 1104 is generated when the Windows Security Event Log reaches its maximum allocated storage capacity and system log policy prevents overwriting older records. Once logged, the system stops writing new security telemetry until cleared.
Failure Reason / Root Cause:
Improper event log retention policy configuration, log storage capacity limits reached, or intentional log flooding by an adversary.
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>1104</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.850Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to The security log is now full -->
</EventData>
</Event>MITRE ATT&CK mapping
| ID | Technique | Tactic |
|---|---|---|
T1562.002 | Impair Defenses: Disable Windows Event Logging | Defense Evasion |
Recommended actions
- Audit Event Viewer retention settings via Group Policy (`Overwrite events as needed` should generally be enabled along with SIEM forwarding).
- Verify SIEM log forwarding pipelines to confirm whether events were successfully archived prior to capacity saturation.